61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
Size

90KB
MD5

835950fdd47d67a8c47d7f4894f15493
SHA1

08e3034912a8a62e894eae0ff6b9bfcd155557ee
SHA256

61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87
SHA512

8a4ef969be1bfb5387678859f14ad2d14e11d35b0b50eb4e38acf4469e50397af3a9593a6d30c418425f488c03b25681b2d5981eff55ff8e6dba349311c88cf0
SSDEEP

1536:a7ZyqaFAlsr1++PJHJXFAIuZAIuXsJtLJtL:enaym3AIuZAIuXY

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3685) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1800-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000012118-2.dat	upx
behavioral1/files/0x000200000001067f-6.dat	upx
behavioral1/memory/1800-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Inuvik.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\bin\eula.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\lib\jce.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Montreal.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe

C:\Users\Admin\AppData\Local\Temp\61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
"C:\Users\Admin\AppData\Local\Temp\61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

Filesize
90KB

MD5
905520bc9a1df7fbfeb626bdf0dcb841

SHA1
fa77f5bd055f70845862b18b05b0822f931d30fe

SHA256
67d51ed2d34a7b8e2582ad5b7fbe13886cbb4836c5db05f4d5ebf35a8d5a2c17

SHA512
ef869178ee8bc07d752a60e5515e84f6915b1db5ca9b0f5a6180cfa20cc517b137e6ad7dfddc6288578867da3aca0104c77138787f98443d06321e840f411a83

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
99KB

MD5
3999cc1866f3ebee2a5475a811e19e4a

SHA1
55b323ebb5130ca6e4dcfe83f021ba556f888b7d

SHA256
e1c34204f1f8d7f3713f9be9539b7d542c58daf6042dbdfa347f3c75601db236

SHA512
44aad088a87f2da37afacba111b1ad23ca6b49fbf413e5ec335b6446ff818a29c74fe026a922f62019494b0cc5afbbb38629ed2bd1e2ebc3844c5ae8c7bbd193

Download Submit
memory/1800-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1800-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download